java 解决使用SAX解析器解析xml的安全问题
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10837706/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Solve security issue parsing xml using SAX parser
提问by dcanh121
I have an android app, in which user can enter any xml source url to parse. My app then parses the xml(if valid) and displays results.
我有一个 android 应用程序,用户可以在其中输入任何 xml 源 url 进行解析。我的应用程序然后解析 xml(如果有效)并显示结果。
The issue is, if the user enters an untrusted xml source url, the app and/or the device might be effected.
问题是,如果用户输入不受信任的 xml 源 url,应用程序和/或设备可能会受到影响。
What are the best ways to identify risk and prevent exploit.
什么是识别风险,防止利用最佳途径。
With my research I found that enabling FEATURE_SECURE_PROCESSING and disabling expansion might help. But can anyone tell me what it is, and how do I achieve it.
通过我的研究,我发现启用 FEATURE_SECURE_PROCESSING 和禁用扩展可能会有所帮助。但是谁能告诉我它是什么,以及我如何实现它。
Thanks.
谢谢。
采纳答案by dcanh121
After researching, I found this. I hope this would solve my problem.
经过研究,我发现了这一点。我希望这能解决我的问题。
To enable FEATURE_SECURE_PROCESSING
启用 FEATURE_SECURE_PROCESSING
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Disable DTDs
禁用 DTD
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
回答by Pierre Ernst
For SAXand DOMparsers, disallowing DTD should be sufficient as dcanh121 noted.
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
For StAXparser:
factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);
对于SAX和DOM解析器,如 dcanh121 所述,禁止 DTD 就足够了。
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
对于StAX解析器:
factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);
